Facebook this evening clarified the situation around SMS notifications sent using the company’s two-factor authentication (2FA) system, admitting that the messages were indeed caused by a bug. In a blog post penned by Facebook Chief Security Officer Alex Stamos, the company says the error led it to “send non-security-related SMS notifications to these phone numbers.”
Facebook uses the automated number 362-65, or “FBOOK,” as its two-factor authentication number, which is a secure way of confirming a user’s identity by sending a numeric code to a secondary device like a mobile phone. That same number ended up sending users Facebook notifications without their consent. When users would attempt to get the SMS notifications to stop, the replies were posted to their own Facebook profiles as status updates.
The issue, which may have persisted for months or perhaps even longer, was flagged by Bay Area software engineer Gabriel Lewi, who tweeted about it earlier this week. Prominent technology critic and sociologist Zeynep Tufekci then used the situation as a springboard to criticize Facebook’s alleged unethical behavior, thinking the 2FA notifications may have been an intentional method for Facebook to boost user engagement.
“I am sorry for any inconvenience these messages might have caused. We are working to ensure that people who sign up for two-factor authentication won’t receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past,” Stamos writes in the blog post. “We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug.”
Stamos goes on to say that an additional peculiarity in which responses to its 2FA number were posted automatically to a user’s Facebook wall was an unintended consequence of the company holding on to an antiquated SMS feature from the days pre-smartphone, when SMS Facebook updating was more prevalent. “This feature is less useful these days. As a result, we are working to deprecate this functionality soon,” Stamos writes.